I have a question about dstnat. We have a /28 network on our public interface and a nat’ed /16 on our private. I can get dstnat working from public numbers to private but my question is whether I need to have a srcnat rule in addition for each server/service. I have several services served up on different public IP’s that go to the same private IP/server. SMTP to a SPAM proxy is one. I would think it good to have the reply to a request come from the IP where the request was sent. Example:
In the above when traffic comes to 144.92.249.228:25 what IP does the response come from? .249.228 or .249.226? Do I need to add an IP number to the SMTP server (10.4.2.2) and then change the rule to look like this:
fball -
enk’s solution won’t work as the first src-nat rule will get excuted before the netmap src-nat rules will be seen…the order in which the rules are applied are important…
scrnat:
10.4.2.2:25 → 144.92.249.228 ;These two rules will ONLY get excuted if the src-port is 25
10.4.2.1:25 → 144.92.249.226 ;otherwise the packet will fall through to the next rule…
add other src-nat rules go here and finally your ‘general’ src-nat rule for everything not already nat’d that you want to src-nat is last.
dstnat:
144.92.249.226:25 → 10.4.2.1:25
144.92.249.228:25 → 10.4.2.2:25
Same idea for dst nat, put them in the order you want them excuted in.